| 1411 |
2024-08-08 15:33
|
picturegreatforeveryonetokissh... ab5e63bdc212cfe4832dcfaa5bcd47dd
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS |
1
http://servidorwindows.ddns.com.br/Files/vbs.jpeg
|
2
servidorwindows.ddns.com.br(189.15.73.202) - malware
189.15.73.202
|
|
|
7.6 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1412 |
2024-08-08 14:42
|
 66b274e0e1b95_shapr3D.exe a80b3beac20e2a5d805c51c36ba14a53
Generic Malware Malicious Library Malicious Packer UPX DllRegisterServer dll PE File PE64 OS Processor Check VirusTotal Malware crashed |
|
|
|
|
1.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1413 |
2024-08-08 14:42
|
 66b1f63c9578f_doz.exe 07d615115d848b9b21d425e72116537e
Stealc Client SW User Data Stealer LokiBot ftp Client info stealer Malicious Library .NET framework(MSIL) UPX ASPack Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
3
https://steamcommunity.com/profiles/76561199747278259 - rule_id: 41798
https://steamcommunity.com/profiles/76561199747278259
https://t.me/armad2a
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.222.161.105) - mailcious
149.154.167.99 - mailcious
184.26.241.154 - mailcious
188.245.87.202 - mailcious
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
1
https://steamcommunity.com/profiles/76561199747278259
|
17.8 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1414 |
2024-08-08 14:41
|
 IEnetworks.hta 948f32b531ba5004430eacb7a1eaa9e3
Generic Malware Downloader Antivirus AntiDebug AntiVM PowerShell MSOffice File PE File DLL PE32 .NET DLL VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
1
http://69.166.230.221/113/sahost.exe
|
1
|
5
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
12.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1415 |
2024-08-08 14:40
|
 95.hta f85f36a24ed9678e95ba7e369261d581
Generic Malware Antivirus Downloader AntiDebug AntiVM PE File DLL PE32 .NET DLL VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Tofsee Windows ComputerName DNS Cryptographic key |
1
http://192.3.176.138/95/sahost.exe
|
1
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
11.4 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1416 |
2024-08-08 14:40
|
 66b1c36969eae_main.exe 3d04dfed5185e2f62819f0951249e391
Client SW User Data Stealer LokiBot RedLine stealer ftp Client info stealer Malicious Library Antivirus .NET framework(MSIL) ASPack UPX Http API PWS HTTP Code injection Internet API AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check FTP Client Info Stealer VirusTotal Malware Telegram PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Windows utilities Collect installed applications suspicious process malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Windows Browser ComputerName DNS Software |
2
https://steamcommunity.com/profiles/76561199751190313
https://t.me/pech0nk
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(23.222.161.105) - mailcious
149.154.167.99 - mailcious
184.26.241.154 - mailcious
78.47.227.64
|
3
ET INFO TLS Handshake Failure
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
18.2 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1417 |
2024-08-08 14:39
|
 70.hta d25adfb8a78f72868ee40f379c1d9fe2
Generic Malware Downloader Antivirus AntiDebug AntiVM PowerShell MSOffice File PE File DLL PE32 .NET DLL VirusTotal Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files exploit crash unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
1
http://192.3.176.138/70/sahost.exe
|
1
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
11.6 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1418 |
2024-08-08 14:37
|
 106.hta 3c35707d9cacb409481600e0b5eed83a
Generic Malware Antivirus Downloader PE File DLL PE32 .NET DLL Malware download VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://192.3.176.138/106/sahost.exe
|
1
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
10.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1419 |
2024-08-08 14:37
|
wecreatednewentertainmenttound... 0016aef348632b4114588b23be613073
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed |
1
http://192.210.150.33/88/sweetdresswearwithgirlstyle.gIF
|
3
archive.org(207.241.224.2) - mailcious
207.241.224.2 - mailcious
192.210.150.33 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1420 |
2024-08-08 14:28
|
 hvilkes-receipt.vbs be57d52692dc2ef67f7c35290b424149
Generic Malware Antivirus powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
|
2
s2r.tn(70.38.21.234)
70.38.21.234
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1421 |
2024-08-08 14:28
|
mygirlistotalchangeswithentire... c29dda8b224f54eeade764fdb7c6bb23
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic ICMP traffic exploit crash unpack itself Exploit DNS DDNS crashed |
1
http://192.3.109.147/88/greatbiscutforbabieshealthgreatthings.gIF
|
3
servidorwindows.ddns.com.br(189.15.73.202) - malware
192.3.109.147 - mailcious
189.15.73.202
|
|
|
6.8 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1422 |
2024-08-08 14:26
|
 like.exe f40919d4beadd501ea89202a719ab940
Malicious Library PE File PE64 Malware download Cobalt Strike Cobalt VirusTotal Malware RWX flags setting unpack itself ComputerName DNS |
2
http://23.94.247.40:7890/OBjb
http://23.94.247.40:7890/ga.js
|
2
45.33.6.223
23.94.247.40 - mailcious
|
2
ET MALWARE Cobalt Strike Beacon Observed
ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
|
|
3.8 |
|
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1423 |
2024-08-08 14:26
|
picturegreatforeveryonetokissh... ab5e63bdc212cfe4832dcfaa5bcd47dd
Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut ICMP traffic unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS |
1
http://servidorwindows.ddns.com.br/Files/vbs.jpeg
|
2
servidorwindows.ddns.com.br(189.15.73.202) - malware
189.15.73.202
|
|
|
8.4 |
|
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1424 |
2024-08-08 14:26
|
 hmay.txt.exe edfad175f97fe91185a1ed5beed5f468
PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself ComputerName DNS DDNS |
|
2
hmay8500.duckdns.org(12.221.146.138)
12.221.146.138 - mailcious
|
2
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
5.4 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1425 |
2024-08-08 14:24
|
sincesheiseverbuildnewthingent... f4b49bfacf066b76dd2f64aa5667e927
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware Malicious Traffic ICMP traffic exploit crash unpack itself Exploit DNS DDNS crashed |
1
http://192.3.193.155/xampp/uhj/picturegreatforeveryonetokissherlips.gIF
|
4
servidorwindows.ddns.com.br(189.15.73.202) - malware
3.33.130.190 - phishing
192.3.193.155
189.15.73.202
|
|
|
6.8 |
|
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|